1 ===========================
2 Device Whitelist Controller
3 ===========================
4
5 1. Description
6 ==============
7
8 Implement a cgroup to track and enforce open a
9 on device files. A device cgroup associates a
10 whitelist with each cgroup. A whitelist entry
11 'type' is a (all), c (char), or b (block). 'a
12 to all types and all major and minor numbers.
13 either an integer or * for all. Access is a c
14 (read), w (write), and m (mknod).
15
16 The root device cgroup starts with rwm to 'all
17 cgroup gets a copy of the parent. Administrat
18 devices from the whitelist or add new entries.
19 never receive a device access which is denied
20
21 2. User Interface
22 =================
23
24 An entry is added using devices.allow, and rem
25 devices.deny. For instance::
26
27 echo 'c 1:3 mr' > /sys/fs/cgroup/1/dev
28
29 allows cgroup 1 to read and mknod the device u
30 /dev/null. Doing::
31
32 echo a > /sys/fs/cgroup/1/devices.deny
33
34 will remove the default 'a *:* rwm' entry. Doi
35
36 echo a > /sys/fs/cgroup/1/devices.allo
37
38 will add the 'a *:* rwm' entry to the whitelis
39
40 3. Security
41 ===========
42
43 Any task can move itself between cgroups. Thi
44 suffice, but we can decide the best way to ade
45 movement as people get some experience with th
46 to require CAP_SYS_ADMIN, which at least is a
47 CAP_MKNOD. We may want to just refuse moving
48 isn't a descendant of the current one. Or we
49 CAP_MAC_ADMIN, since we really are trying to l
50
51 CAP_SYS_ADMIN is needed to modify the whitelis
52 task to a new cgroup. (Again we'll probably w
53
54 A cgroup may not be granted more permissions t
55 parent has.
56
57 4. Hierarchy
58 ============
59
60 device cgroups maintain hierarchy by making su
61 access permissions than its parent. Every tim
62 a cgroup's devices.deny file, all its children
63 from their whitelist and all the locally set w
64 re-evaluated. In case one of the locally set
65 more access than the cgroup's parent, it'll be
66
67 Example::
68
69 A
70 / \
71 B
72
73 group behavior exceptions
74 A allow "b 8:* rwm", "
75 B deny "c 1:3 rwm", "
76
77 If a device is denied in group A::
78
79 # echo "c 116:* r" > A/devices.deny
80
81 it'll propagate down and after revalidating B'
82 "c 116:2 rwm" will be removed::
83
84 group whitelist entries
85 A all
86 B "c 1:3 rwm", "b 3:* rwm"
87
88 In case parent's exceptions change and local e
89 anymore, they'll be deleted.
90
91 Notice that new whitelist entries will not be
92
93 A
94 / \
95 B
96
97 group whitelist entries
98 A "c 1:3 rwm", "c 1:5 r"
99 B "c 1:3 rwm", "c 1:5 r"
100
101 when adding ``c *:3 rwm``::
102
103 # echo "c *:3 rwm" >A/devices.allow
104
105 the result::
106
107 group whitelist entries
108 A "c *:3 rwm", "c 1:5 r"
109 B "c 1:3 rwm", "c 1:5 r"
110
111 but now it'll be possible to add new entries t
112
113 # echo "c 2:3 rwm" >B/devices.allow
114 # echo "c 50:3 r" >B/devices.allow
115
116 or even::
117
118 # echo "c *:3 rwm" >B/devices.allow
119
120 Allowing or denying all by writing 'a' to devi
121 not be possible once the device cgroups has ch
122
123 4.1 Hierarchy (internal implementation)
124 ---------------------------------------
125
126 device cgroups is implemented internally using
127 list of exceptions. The internal state is con
128 interface to preserve compatibility with the p
129 implementation. Removal or addition of except
130 to devices will be propagated down the hierarc
131 For every propagated exception, the effective
132 on current parent's access rules.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.